CloudShell is a browser-based terminal in the AWS Management Console. You can run CLI commands to set up your resources across different services.
Log in to your AWS Management Console, open CloudShell and follow the instructions below to set up your resources.
1. Set shell variables
Replace the values below with the Scanner-provided values and the names of buckets in your account that you want to be indexed.
# These values will be provided by ScannerREGION="<INSERT_VALUE_HERE>"SCANNER_AWS_ACCOUNT_ID="<INSERT_VALUE_HERE>"STS_EXTERNAL_ID="<INSERT_VALUE_HERE>"SCANNER_SQS_INDEX_QUEUE_ARN="<INSERT_VALUE_HERE>"S3_INDEX_FILES_BUCKET_NAME="<INSERT_VALUE_HERE>"# Insert your AWS account ID hereYOUR_AWS_ACCOUNT_ID="<INSERT_VALUE_HERE>"# List your buckets here (enclosed in parentheses and whitespace-separated)S3_LOG_FILES_BUCKET_NAMES=("<BUCKET_1>""<BUCKET_2>""<BUCKET_3>")# These are default names for resources to be createdIAM_SCANNER_ROLE_NAME="scnr-ScannerRole"IAM_SCANNER_ROLE_POLICY_NAME="scnr-ScannerRolePolicy"SNS_NOTIFICATION_TOPIC_NAME="scnr-LogFilesBucketEventNotificationTopic"
2. Create S3 index files bucket
This bucket is where Scanner stores index files, keeping all log data within your AWS account.
Please ensure this bucket is used exclusively for Scanner indexing. Avoid adding any unrelated files to maintain optimal performance.
# Set public access blockawss3apiput-public-access-block \--bucket $S3_INDEX_FILES_BUCKET_NAME \--public-access-block-configuration"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"# Check public access blockawss3apiget-public-access-block--bucket $S3_INDEX_FILES_BUCKET_NAME
When new log files appear in your S3 log files buckets, Scanner will get notified by your SNS topic via a subscription from the Scanner SQS index queue.
If you already have an SNS topic for S3 (object-created) event notifications, you can skip this section and use the existing topic for creating the subscription in the next section.
Before creating this subscription, be sure to link your AWS account in the Scanner app. Scanner needs to update the queue's permission to receive the subscription confirmation request.
If you haven't done so, the subscription will remain in the state of "pending confirmation". After linking your account, "request confirmation" again in the AWS console to fix it.
If you are using an existing SNS topic, replace the ARN below.
# Expected output## The initial output will always show "pending confirmation", but Scanner should confirm the subscription within minutes.{"SubscriptionArn":"pending confirmation"}
5. Create S3 -> SNS event notifications
When a new file is created in your S3 log files bucket, send a notification to the SNS topic.
S3 only allows one destination per trigger. If any of these buckets already have SQS/Lambda notifications for object-created events, follow the instructions below to migrate them first.
An S3 event notification can only have one destination per trigger, whereas an SNS topic can fan out to multiple subscribers. We will therefore change the existing S3 -> SQS/Lambda notification to S3 -> SNS -> SQS/Lambda:
If you want to keep the notifications separate, create a new SNS topic. If not, use the same SNS topic as above.
Create SNS -> your SQS queue/Lambda function subscription(s).
Create SNS -> Scanner SQS index queue subscription.